All,
I've run into the same design problems as Ed is describing here as
well. There just doesn't seem to be an easy way to add in
Authentication to any of the spatial standards that have been set up.
I'm really having a hard time trying to decide just how to add
authentication. I also need to add it at the layer level which makes
things a bit more complicated. I'm not fond of the clear-text parameter
method either, and managing things on the server side is too much admin
overhead.
I have some ideas, but they all seem overly complicated.
bobb
Ed McNierney wrote:
Sean -
While I agree with you in theory, we need to acknowledge that our WMS servers
need (in some cases) to be easily accessible to the WMS clients our users want
to or need to use. I cannot tell my ArcGIS customers that my server uses HTTP
Basic authentication, because their client software provides no support for it
and no place for them to type their username and password.
For better or worse, the WMS specification is completely silent on the subject
of authentication, and therefore set no expectations on what a well-behaved
client is supposed to do. It is unreasonable to expect, in the absence of
guidance in the specification, that all WMS clients will support the complete
HTTP protocol suite in all its flavors, with the required user interfaces to
make that happen.
So we need to compromise to live in the real world. The "wrapper" script is
one way to do that. If I create a wrapper PHP script such that my WMS Resource URI
changes from:
http://my.server.com/mapserv?map=my.map&;
to:
http://my.server.com/mapserv.php?user=me&password=secret&;
then I'm really not doing anything different than what HTTP Basic
authentication is doing, except for putting a few of the bytes in different
places in the HTTP request. It is hard to see that using HTTP Basic
authentication is fundamentally the Right Way and the querystring parameters is
the Evil Way, since they are almost identical. Perhaps the wrapper approach
even has the benefit of reminding the user that their id and password are being
sent as clear text!
- Ed
Ed McNierney
Chief Mapmaker
Demand Media / TopoZone.com
73 Princeton Street, Suite 305
North Chelmsford, MA 01863
Phone: 978-251-4242, Fax: 978-251-1396
[EMAIL PROTECTED]
-----Original Message-----
From: UMN MapServer Users List [mailto:[EMAIL PROTECTED] On Behalf Of Sean
Gillies
Sent: Friday, August 31, 2007 6:49 PM
To: [email protected]
Subject: Re: [UMN_MAPSERVER-USERS] adding support for user authentication
within Mapserver for GetCapablities and GetMap
Gerry Creager wrote:
Gregor Mosheh wrote:
Sean Gillies wrote:
Gerry Creager wrote:
Rights management is now well into the investigatory and
specification stages in OGC.
He, that's excellent to hear. Thanks for the tip.
No, it's not excellent. DRM is defective by design.
Hrm, perhaps I misunderstood. I read "access control" as in password
protection to get into my WMS/WFS server.
Gerry, did you mean access control at the application layer, so I can
have Mapserver manage user accounts and access to my WMS layers, or
something deeper such as DRM on the imagery, copy-protection on
GeoTIFFs, and the like?
(yeah, it's off the topic of Mapserver; so's a lot of educational and
interesting stuff we talk about :)
The working group title is GeoDRM. I am not real happy with that but
the bigger organizations are thinking of the resources they've put into
their datasets and/or products. Some governments fail to see the
benefits to their citizens of making geospatial data widely available,
and thus are supporting this sort of thing. It's gonna be an
interesting period, but I'm trying to get them to see the benefits of
authentication/authorization/capabilities control. They keep thinking
the RIAA/MPAA model is good and working. We have interesting debates.
I can't tell if I'm making headway or not.
The National Middelware Initiative (NSF funded, Internet2/SURA
implemented) covers a lot of this via federation and credential exchange
in their Shibboleth software initiative.
gerry
Gerry, I'm all for security too, but I think it's already addressed for
web services by HTTP Basic + SSL/TLS. In my opinion, adding a spatial
and time dimensions to auth (user 'joe' can only use a service between
9am-5pm originating from Larimer County, Colorado) is pure geo-wankery.
The "GeoDRM" name -- it's clearly pandering to the non-technical guys in
suits who (like you say) still think the RIAA is the good guy.
Cheers,
Sean
